Skip to content
This repository has been archived by the owner on Mar 30, 2022. It is now read-only.

AWS Cognito Misconfiguration buckets #3

Closed
erev0s opened this issue Sep 23, 2021 · 4 comments
Closed

AWS Cognito Misconfiguration buckets #3

erev0s opened this issue Sep 23, 2021 · 4 comments

Comments

@erev0s
Copy link

erev0s commented Sep 23, 2021

The given identity pool can access two buckets, from which one of them has full control granted to all users. Was that bucket supposed to contain something ?
Based on the description here https://docs.insecureshopapp.com/insecureshop-challenges/aws-cognito-misconfiguration
I thought that you probably had something different in mind (like give permission to write acl but not read - and the user should be first add the read permission to all users before seeing the files).
Is that the case?

(also thought that someone before could have overwritten this for example and deleted any file you had there)
In any case i dont know if the bucket is intentionally empty or not, hence this issue.

@hax0rgb
Copy link
Collaborator

hax0rgb commented Sep 23, 2021

Hi @erev0s

The bucket 84r4ppx76qhqj4bsgu8w is misconfigured and provides read access to all users. This is intentional.
The bucket 84r4ppx76qhqj4bsgu8w contains a file called Congratulations.txt. But you are right, the bucket looks empty now. Looks like the file got deleted.

I don't plan to provide write access to the bucket. Only read access should be there.
I'll also review the bucket settings now. Thanks for bringing this up.

@hax0rgb
Copy link
Collaborator

hax0rgb commented Sep 23, 2021

Hey @erev0s

I have re-uploaded the Congratulations.txt file. The bucket can only be used to list the objects and read files. You should not be able to write or delete data to the bucket.

@erev0s
Copy link
Author

erev0s commented Sep 23, 2021

@0xgaurang thanks for the fast reply.
Indeed i can verify that the congratulations.txt is available now.

There are two buckets in total with these creds

➜  InsecureShop git:(main) ✗ aws s3 ls                                                                                                                                 
2020-08-16 17:28:46 84r4ppx76qhqj4bsgu8w
2020-11-15 18:31:10 elasticbeanstalk-us-west-2-094222047775

and on the second one the permission is set to full control. I uploaded the apk of the app there as poc.

Congrats on the nice app you made.
Keep going

@hax0rgb
Copy link
Collaborator

hax0rgb commented Sep 25, 2021

Hi @erev0s

Thank you for pointing out that you were able to upload files in elasticbeanstalk-us-west-2-094222047775 bucket. This is just a test bucket that I created for some research work. I have modified the permissions on this bucket and no one should be able to upload/delete files.

If Cognito Pool ID has list bucket permissions for unauthenticated entities, then you should be able to view the name of all the buckets owned by that organization. At this point, you need to identify which bucket has insecure permissions set.

Hope this resolves your query.

@hax0rgb hax0rgb closed this as completed Sep 25, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants